Vulnerability CVE-2015-1042


Published: 2015-02-10   Modified: 2015-11-27

Description:
The string_sanitize_url function in core/string_api.php in MantisBT 1.2.0a3 through 1.2.18 uses an incorrect regular expression, which allows remote attackers to conduct open redirect and phishing attacks via a URL with a ":/" (colon slash) separator in the return parameter to login_page.php, a different vulnerability than CVE-2014-6316.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Mantis BugTracker 1.2.19 Open Redirect
Alejo Popovici
29.01.2015

Type:

CWE-601

(URL Redirection to Untrusted Site ('Open Redirect'))

Vendor: Mantisbt
Product: Mantisbt 
Version:
1.2.9
1.2.8
1.2.7
1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.18
1.2.17
1.2.16
1.2.15
1.2.14
1.2.13
1.2.12
1.2.11
1.2.10
1.2.1
1.2.0

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.8/10
4.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None

 References:
https://www.mantisbt.org/bugs/view.php?id=17997
http://www.securitytracker.com/id/1031633
http://www.openwall.com/lists/oss-security/2015/01/11/8
http://www.openwall.com/lists/oss-security/2015/01/10/5
http://seclists.org/fulldisclosure/2015/Jan/110
http://packetstormsecurity.com/files/130142/Mantis-BugTracker-1.2.19-Open-Redirect.html

Related CVE
CVE-2017-7620
MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \/ substring as introducing either a local pathname or a remote hostname, which ...
CVE-2017-7897
A cross-site scripting (XSS) vulnerability in the MantisBT (2.3.x before 2.3.2) Timeline include page, used in My View (my_view_page.php) and User Information (view_user_page.php) pages, allows remote attackers to inject arbitrary code (if CSP settin...
CVE-2017-7615
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
CVE-2017-7309
A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted 'config_option' parameter. This is fixed in 1....
CVE-2017-7241
A cross-site scripting (XSS) vulnerability in the MantisBT Move Attachments page (move_attachments_page.php, part of admin tools) allows remote attackers to inject arbitrary code through a crafted 'type' parameter, if Content Security Protection (CSP...
CVE-2017-6973
A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code through a crafted 'action' parameter. This is fixed in 1.3.8, 2.1.2, and 2.2.2.
CVE-2017-7222
A cross-site scripting (XSS) vulnerability in MantisBT before 2.1.1 allows remote attackers to inject arbitrary HTML or JavaScript (if MantisBT's CSP settings permit it) by modifying 'window_title' in the application configuration. This requires priv...
CVE-2017-6958
An XSS vulnerability in the MantisBT Source Integration Plugin (before 2.0.2) search result page allows an attacker to inject arbitrary HTML or JavaScript (if MantisBT's CSP settings permit it) by crafting any valid parameter.

Copyright 2017, cxsecurity.com